There are a lot of known methods involving cryptographic algorithms, such as the Data Encryption Standard (DES) or the Advanced Encryption Standard (AES), for encrypting and decrypting data to be transmitted via unsecured channels or networks connecting electronic devices of any kind. To this end, such devices are provided with cryptographic components performing cryptographic operations to scramble messages so as to make them unintelligible without a secret decryption key. These components are typically implemented according to the CMOS technology (Complementary Metal Oxide Semiconductor technology). Cryptographic algorithms implemented in such components are generally safe enough from a mathematical point of view. However, the fact that such an algorithm is physically implemented by integrated circuits built with interconnected transistors for producing the logical functions of this algorithm, generates observable physical quantities. The observation of such quantities can be carried out by means of an oscilloscope, for instance for monitoring the power consumption of the integrated circuit. Sudden power consumption variations appear as peaks on the screen of the oscilloscope. Each peak can for instance identify the start of a so-called “round”, typically in algorithm such as DES and AES in which an input message to encrypt is applied to a succession of groups of operations called “rounds”. According to such an algorithm, each round is placed under the control of a sub-key resulting from the previous round. Therefore, such an algorithm involves a series of sub-keys which are derived from a secret key used as initial key within the algorithm. In the event where this initial secret key is known by a malicious person, the latter becomes able to decrypt and properly encrypt any message exchanged with a corresponding device that uses the same algorithm with the same secret key according to a symmetrical encryption scheme.
There are several ways to attack a cryptographic circuit for recovering the initial secret key. Some attacks are known as non-invasive attacks since they aim to observe the power consumption, the electromagnetic emanation or the processing time of the circuit. Other attacks are referenced as invasive attacks, since they involve modifying the circuit, in particular its behavior during a short lapse of time. In this last category, one knows the Differential Fault Analysis (DFA) as being a serious threat against any encryption/decryption system. Differential Fault Analysis is based on the observation and the comparison of the outputs provided by a cryptographic circuit under two different states. One of these states corresponds to the normal operation of the circuit, whereas the other is obtained by voluntarily injecting a fault aiming to alter one or several bits by switching from 0 to 1 or vice versa. Such a physical bit inversion can be carried out e.g. by sweeping the surface of the integrated circuit with a laser beam. By locating sensitive areas within the cryptographic circuit, laser shots allow disrupting the behavior of the circuit in an accurate and easy manner, since they can be implemented under the control of a computer, while acting with a very good spatial and temporal resolution. When several faults are injected during the processing of a cryptographic algorithm, the analysis of erroneous outputs allow to guess the secret key by observing fault propagations within the algorithm.
Accordingly, there is a need to provide an efficient solution allowing to prevent attackers guessing the secret key through any differential fault analysis, or more generally to guess such a key through information gained by any kind of analysis.